Average amount of bandwidth used in DDoS attacks spiked eight-fold last quarter.

Coordinated attacks used to knock websites offline grew meaner and more powerful in the past three months, with an eight-fold increase in the average amount of junk traffic used to take sites down, according to a company that helps customers weather the so-called distributed denial-of-service campaigns.

The average amount of bandwidth used in DDoS attacks mushroomed to an astounding 48.25 gigabits per second in the first quarter, with peaks as high as 130 Gbps, according to Hollywood, Florida-based Prolexic. During the same period last year, bandwidth in the average attack was 6.1 Gbps and in the fourth quarter of last year it was 5.9 Gbps. The average duration of attacks also grew to 34.5 hours, compared with 28.5 hours last year and 32.2 hours during the fourth quarter of 2012. Earlier this month, Prolexic engineers saw an attack that exceeded 160 Gbps, and officials said they wouldn't be surprised if peaks break the 200 Gbps threshold by the end of June.

The spikes are brought on by new attack techniques that Ars first chronicled in October. Rather than using compromised PCs in homes and small offices to flood websites with torrents of traffic, attackers are relying on Web servers, which often have orders of magnitude more bandwidth at their disposal. As Ars reported last week, an ongoing attack on servers running the WordPress blogging application is actively seeking new recruits that can also be harnessed to form never-before-seen botnets to bring still more firepower.

Also fueling the large-scale assaults are well-financed attackers who are increasingly able to coordinate with fellow crime organizations, Prolexic officials wrote in quarterly global DDoS report published Wednesday.

"These types of attack campaigns appear to be here to stay as a staple on the global threatscape," they wrote. "Orchestration of such large attack campaigns can only be achieved by having access to significant resources. These resources include manpower, technical skills and an organized chain of command."

The most prominent targets of DDoS attacks over the past six months have been the nation's largest banks, which at times have become completely unreachable following above average floods of traffic. Most of the assaults were preceded by online posts that showed the writer had foreknowledge of what was about to happen. The posts were penned by self-proclaimed members of Izz ad-Din al-Qassam Brigades, the military wing of the Hamas organization in the Palestinian Territories, and said the attacks were in retaliation for videos posted to YouTube that were insulting to Muslims. The Prolexic report cast doubt on some of that narrative.

Prolexic "believes these attacks go beyond common script kiddies as indicated by the harvesting of hosts, coordination, schedules and specifics of the selected attack targets," the report stated. "These indicators point to motives beyond ideological causes, and the military precision of the attacks hints at the use of global veteran criminals that consist of for-hire digital mercenary groups."

Not the only one

Prolexic is by no means the only DDoS mitigation service that's seeing more powerful attacks. For 45 minutes on Tuesday, San Francisco-based CloudFlare's network was bombarded by data sent by more than 80,000 servers across the Internet that all appeared to be running WordPress. Over the past half-year, CloudFlare has seen a dramatic uptick in attacks that target website applications, such as those that provide encrypted HTTPS sessions. In many cases, those types of attacks are much harder to block.

"Sometimes the nastiest attacks aren't the biggest ones," CloudFlare CEO Matt Prince told Ars. "The nasty attacks that we're seeing right now are the ones that go after the underlying application by doing something like sending a ton of traffic to a log-in page."

Attackers in such cases will unleash scripts that enter a legitimate user name along with passwords that are known to be invalid. When repeated millions of times, the technique overwhelms targeted systems as servers perform database lookups, report the authentication failure, and then record it in internal logs.

In addition to increasingly well-funded and organized attackers and new techniques, the growing firepower of DDoS attacks is also getting a boost from the proliferation of do-it-yourself Web applications such as WordPress and Joomla, Prince said. In that respect these applications, which are designed to help people with only moderate levels of technical expertise deploy websites, could become to this decade what early versions of Microsoft's Windows XP were to the previous decade.

"It is clear that if the story of the 2000s was how easy it was to compromise desktop PCs and turn them into spam-sending engines or botnets to do other nefarious things, the story of the 2010s is going to be how easy it is to compromise server software, which has gotten very consumerized and doesn't necessarily have the best security in place," Prince said. "If a server is 10 times as powerful as a desktop computer then you only need one-tenth to do the same level of damage."

Promoted Comments

I'm really OK with pulling their internet plug (any country harboring these thugs). Turn the whole area off from the outside world. Let them attack each other. Why should they be allowed to corrupt our systems in their never-ending war of hate against everything modern?

Just received word your neighbor is operating a botnet. In order to prevent corruption of our systems, we are pulling the internet plug for your neighborhood. Sorry, no Netflix for you tonight.

So, remember that article about millions of open telnet ports (port 23) found around the interwebs? And most of those were accessible w/default passwords (admin/admin, etc.). Every time I see an article talking about spikes in DDoS attacks, I wonder how many of those have been taken over as bots. My understanding is, most of those aren't user-errors, but manufacturer faults for leaving open ports on things like printers (thanks, HP!) and the like. Yeah, good luck fixing all of those.

Oh, I know a lot of ppl poo-poo his credentials, but I find him informative so... Steve Gibson went into more detail on the above findings on his podcast. Transcript here.

I operate a Wordpress site. For a while I was seeing better then 150 illicit attempts to login per hour. Being sort of a stubborn cuss, I opened wp-login and rewrote parts of it. Now an IP address has two attempts to login. If those two attempts are unsuccessful, the IP receives a temp ban for a period of time. If there are three other unsuccessful attempts to login, that IP address is written to .htaccess as deny from aaa.bbb.ccc.ddd as a permanent ban. That slowed the attacks. My host is also recording and banning IP addresses that make repeated failed attempts to login. This solution will not work for those that allow readers to login.

Fortunately there is another solution that works well. Install the plugins "Mute Screamer" and "Better WP-Security" set as much as the security as is possible for your arrangement in the WP-Security dashboard and the "Tweaks" panel and set login limits to three - five failed logins for a temp ban of 15 minutes. Mute Screamer is an IDS system that will notify you of attempted intrusions. Better WP-Security can be toggled to record changed files and make recovery after any alteration easier.

Quick note, since these specific attacks are coming from a huge pool of IPs, this approach isn't going to be very effective against this specific attack. Plugins that slow or throttle login attempts are more useful than those that simply block IPs (look at Login Security Solution, or better the Google Authenticator two factor login).

In any case security for this is best handled as far down the web stack as possible where it'll consume the least resources. Allowing 90000 IPs to attempt to access the login pages is going to knock most sites offline, even if no login attempt is made. This is why for this attack the most effective place to block it is before it reaches the server by a security proxy/web application firewall service like CloudFlare, Incapsula, Cloud Proxy, etc...

It's unlikely any solution to this will make it into WordPress because as mentioned above its mostly the wrong place for it. The firewall should be on apache/nginx (mod_security/nasxi) before a php thread is even gets spun up. WP could bake required password strength, login throttling, or two factor auth into core, but why should WP dictate one solution when there are many good solutions available for each of the many possibly attack vectors?

If site owners don't know or want to be bothered will decions about server configuration or what WP security precautions to implement they have the option to hire a professional. That might be a consultant or might be paying for managed hosting from WP Engine, ZippyKid, etc...

I feel the root problem with all of this is the consumerization of web hosting by companies like GoDaddy/Host Gator/etc which offer lay people a one-click installs of web applications without really explaining that they (the hosting company) isn't providing support for the software or even basic security measures at the server level.

Thats not entirely fair as host do most of what security hardening they can, but it is limited. Shared hosting is hard to impossible to secure because what you do for WP might break phpBB, what you do for Drupal might break OS Commerce. Further since it is shared hosting, users often don't have access to lock things down better even if they had the techincal skill... Which all leads to users trying to block attacks like this where they do have control, wordpress/php, even when that's a poor place to do it.

60 Reader Comments

It's still possible I've misunderstood somewhere, but this article does seem to fall victim to the classic "8-fold" vs. "8-times" distinction. A "fold" is a geometric progression and doubles at each step. 6.1 Gbps (un)folded 8 times is 1561 Gbps, not 48 Gbps nor even 130 Gbps. If I've missed the numbers which validate the 8-fold comparison, please enlighten me. If not, please stop perpetuating this uninformed usage.

While I'm on my soapbox, I'll point out that a "podium" is something you stand on, and a "lectern" is what you stand behind. Also, you can have a "2nd annual" event, but "1st annual" is nonsense because it had to have happened once before in order to be an "annual" event.

When things like WordPress and LAMP (or worse yet, WAMP) hit the scene, I wondered if things like this would start happening. Once you standardize creating web servers or content platforms, you standardize the bugs that attackers will exploit.

I wonder if WordPress will incorporate something into their next release mandating users change the admin password or create one following certain strength criteria.

... this article does seem to fall victim to the classic "8-fold" vs. "8-times" distinction. A "fold" is a geometric progression and doubles at each step. 6.1 Gbps (un)folded 8 times is 1561 Gbps, not 48 Gbps nor even 130 Gbps.

As someone who was completely ignorant of this, I sincerely thank you.

The amount of ignorant PC users I see that ask me to fix their PC that turns out to be completely infected with all sorts of malware is staggering.

I used to oppose this, but it is time that providers that detect infected pc's that are part of a botnet block access from those IP adresses to and from the internet. Send these people a message to fix their PCs and take appropriate measures by phone and snail mail. Once they declare they have done that reinstate their service.

These botnets can only exist because of ignorant people. We have requirements to allow you to drive on the roads, that include temporarily denying access. Make some rules for the electronic highway too.

I operate a Wordpress site. For a while I was seeing better then 150 illicit attempts to login per hour. Being sort of a stubborn cuss, I opened wp-login and rewrote parts of it. Now an IP address has two attempts to login. If those two attempts are unsuccessful, the IP receives a temp ban for a period of time. If there are three other unsuccessful attempts to login, that IP address is written to .htaccess as deny from aaa.bbb.ccc.ddd as a permanent ban. That slowed the attacks. My host is also recording and banning IP addresses that make repeated failed attempts to login. This solution will not work for those that allow readers to login.

Fortunately there is another solution that works well. Install the plugins "Mute Screamer" and "Better WP-Security" set as much as the security as is possible for your arrangement in the WP-Security dashboard and the "Tweaks" panel and set login limits to three - five failed logins for a temp ban of 15 minutes. Mute Screamer is an IDS system that will notify you of attempted intrusions. Better WP-Security can be toggled to record changed files and make recovery after any alteration easier.

The amount of ignorant PC users I see that ask me to fix their PC that turns out to be completely infected with all sorts of malware is staggering.

I used to oppose this, but it is time that providers that detect infected pc's that are part of a botnet block access from those IP adresses to and from the internet. Send these people a message to fix their PCs and take appropriate measures by phone and snail mail. Once they declare they have done that reinstate their service.

These botnets can only exist because of ignorant people. We have requirements to allow you to drive on the roads, that include temporarily denying access. Make some rules for the electronic highway too.

People will just have to learn basic internet safety.

And what to do when that system is used to phish new malware? It just reminds me of the greater awareness for the need of antivirus protection being exploited by fake antivirus scams.

The amount of ignorant PC users I see that ask me to fix their PC that turns out to be completely infected with all sorts of malware is staggering.

I used to oppose this, but it is time that providers that detect infected pc's that are part of a botnet block access from those IP adresses to and from the internet. Send these people a message to fix their PCs and take appropriate measures by phone and snail mail. Once they declare they have done that reinstate their service.

These botnets can only exist because of ignorant people. We have requirements to allow you to drive on the roads, that include temporarily denying access. Make some rules for the electronic highway too.

People will just have to learn basic internet safety.

And what to do when that system is used to phish new malware? It just reminds me of the greater awareness for the need of antivirus protection being exploited by fake antivirus scams.

You can't fix stupid.

I agree. While it would help to prevent access the system is also easy to abuse the system to keep legitimate users offline. Also preventing internet access means you have no way to download software to help fix the issue.What is really needed is better education regarding software updates, antivirus usage and password security.I still see way too many (competent) people who ignore critical updates or use weak passwords.

I also think two-factor authentication for all logins would go quite a way to help (even if it is annoying, but then again security is seldom convenient)

The amount of ignorant PC users I see that ask me to fix their PC that turns out to be completely infected with all sorts of malware is staggering.

People will just have to learn basic internet safety.

Ditto. I can't remember the last time I worked on someone's who's wasn't infected.

However, the word safety is a misnomer here. You can refuse unsolicited downloads, you can not open suspicious mail, you can stay way from rouge sites, and still get a virus from a legitimate site.

Case in point, I was researching some auto paint for a car painter buddy of mine, and I googled 'automotive paint'. The third link from the top in the results gave me a virus via drive-by.

I probably get about 5 a year just from plain old browsing.

The website Phys.org (I visit every day), gets flagged at least twice a year for having malicious content. An unscrupulous ad no doubt, but none the less, perfectly safe browsing on their site gave someone a virus. They fix it right away, but too late by then.

My sister and her boyfriend pay for Norton, have Defender running, all firewalls are up, they install all windows updates, they do not do any browsing AT all (in my book, beyond paranoid) except for ebay, do not open mails from ANYBODY except family, and they never EVER download anything.

Yet, their computer is ravished wellll beyond repair with virus's. It crawls so bad I am surprised it even runs. Gotta wait at least 3mins for any app to start running. Problem is, her boyfriend says everything's ok and does not want me to fix it. Dumb dumb dumb. And it pisses me off cause I am in their address book.

I offered to reinstall windows for them (they have everything already backed up), yet they refuse. Thus guaranteeing to keep the bots flowing. I tell ya, there outta be a law against not fixing a botted up computer.

And what to do when that system is used to phish new malware? It just reminds me of the greater awareness for the need of antivirus protection being exploited by fake antivirus scams.

You can't fix stupid.

I don't know about designating users who fall for those attacks as "stupid." Unaware or uninformed is the better term.

The better question is why those sorts of advertisements are tolerated or even legal. They are a form of fraud. Malware is a serious problem, and these psuedo-security companies are contributing to it. By way of analogy, would be tolerate it if some company had set up an electric sign on the road, pasted some police-looking symbols on it to make it look official, and then had a message going about how your car was sighted as having a problem or being in some violation, so pull over at the next exit and buy something to fix the problem? I'm fairly certain that doing something like that would result in multiple lawsuits. And if people did pull over, would we call those drivers stupid? I wouldn't, but I would have some choice words for whoever came up with the ploy.

These types of ads are commonplace and most of us expect that people have seen (and possibly been burned by) at least one. As a result, new infections seem like people who are totally zoned out or people who aren't learning. Those accusations may be true, but we should be questioning why these practices aren't being rejected more strongly.

More CloudFlare self-promotion - getting sick of them already. (We need an ISO standard set of tags for CloudFlare self-promotion articles, non-news articles about people promoting their new books, etc so RSS feeds could auto-hide them.)

What's so astounding ... even in 2013 it seems that security concerns are hardly a concern. Why are so many (quite often semi pro) admins so utterly careless to either use extremely weak passwords, leave their login credentials anywhere on the net or don't patch their sw ?This kind of wanton indifference is condemnable since it renders many efforts with regard to security futile and pointless. I can add tons of load balancers but if some dork of admin still uses Alex123 as his password all labor is in vain.

It's still possible I've misunderstood somewhere, but this article does seem to fall victim to the classic "8-fold" vs. "8-times" distinction. A "fold" is a geometric progression and doubles at each step. 6.1 Gbps (un)folded 8 times is 1561 Gbps, not 48 Gbps nor even 130 Gbps. If I've missed the numbers which validate the 8-fold comparison, please enlighten me. If not, please stop perpetuating this uninformed usage.

While I'm on my soapbox, I'll point out that a "podium" is something you stand on, and a "lectern" is what you stand behind. Also, you can have a "2nd annual" event, but "1st annual" is nonsense because it had to have happened once before in order to be an "annual" event.

What Does a Twofold Increase Mean?

Date: 01/23/2004 at 04:57:51From: LauraSubject: 2-fold increase

What does a onefold increase mean? Is a twofold increase simply twicethe amount? What about a threefold increase? I'm not used to thisterminology of using "fold." Does it refer to powers or multiples?

I used to oppose this, but it is time that providers that detect infected pc's that are part of a botnet block access from those IP adresses to and from the internet.

I certainly oppose this , since it is draconian, and only punishes ordinary people whom are not computer savy.Even if they would happen to be computer savy, no access to the internet means that they would be unable to access information on how to remove the bots, secure their PC, or pretty much do anything but completely reinstalling their OS. (probably without any backups since cloud storage is big these days.)

However, I do agree that ISP's that detect unusual behaviour should inform the customer about this.

I used to oppose this, but it is time that providers that detect infected pc's that are part of a botnet block access from those IP adresses to and from the internet.

I certainly oppose this , since it is draconian, and only punishes ordinary people whom are not computer savy.Even if they would happen to be computer savy, no access to the internet means that they would be unable to access information on how to remove the bots, secure their PC, or pretty much do anything but completely reinstalling their OS. (probably without any backups since cloud storage is big these days.)

However, I do agree that ISP's that detect unusual behaviour should inform the customer about this.

It's a delicate subject.

It's like quarantine. One one hand you're taking away someone's "rights", but on the other hand, the rest of society will get hurt if you don't.

At some point people need to take responsibility for their computers and repeat offenders should be punished in some fashion. Nothing harsh, but quite annoying would work.

Fail car analogy! I don't know how to build a car, but I do have to know how to safely drive one before I can drive on public roads.

I'm really OK with pulling their internet plug (any country harboring these thugs). Turn the whole area off from the outside world. Let them attack each other. Why should they be allowed to corrupt our systems in their never-ending war of hate against everything modern?

I'm really OK with pulling their internet plug (any country harboring these thugs). Turn the whole area off from the outside world. Let them attack each other. Why should they be allowed to corrupt our systems in their never-ending war of hate against everything modern?

Just received word your neighbor is operating a botnet. In order to prevent corruption of our systems, we are pulling the internet plug for your neighborhood. Sorry, no Netflix for you tonight.

I operate a Wordpress site. For a while I was seeing better then 150 illicit attempts to login per hour. Being sort of a stubborn cuss, I opened wp-login and rewrote parts of it. Now an IP address has two attempts to login. If those two attempts are unsuccessful, the IP receives a temp ban for a period of time. If there are three other unsuccessful attempts to login, that IP address is written to .htaccess as deny from aaa.bbb.ccc.ddd as a permanent ban. That slowed the attacks. My host is also recording and banning IP addresses that make repeated failed attempts to login. This solution will not work for those that allow readers to login.

That is certainly a solution (and there are many others). I remember writing snort rules to detect failed login attempt and then code to read the snort log, perform some statistics and the update the firewall rules for blocking these IPs for a month.

The issue with these solution is that, while they work, they are difficult to port. Ideally, Wordpress should have an integrated functionality to automatically block these kind of attacks (it's not that hard, really, as you discovered: a temporary ban after X failed logins is all it would take).

So, lately, I've decided to take another direction: In registered a free account with couldflare, and registered all my web domains with them. They automagically screen my web pages against this kind of issues (and others).

I also quite like how they do that: not only do they analyses the requests but they also maintain global lists of "bad" IPs. When a web page is requested from one of these IP, they serve a challenge page to the user instead of serving the real web site so legitimate users can still connect, it's just the bots that are blocked. They act somewhat like a DNSBL for web pages.

The downside is that, if I want to add SSL to a domain, I can't do that with their free tier and I have to go for a (paid) pro plan (at least).

I operate a word press site with a friend and my first plugins are security ones. We noticed a huge number of attempts to access the site, but you only get two attempts before you're blocked. So weee!

Should we be reporting the IP addresses? I'm not a tech professional, the Wordpress site is a blog for a class project (I'm completing my M.S. in Marketing).

As an aside, there are times when I wonder if it might actually be necessary to remove the United States from the world wide web. Just block all external traffic. Period. We can include Canada (who doesn't like Canada), but just cut off everyone else. I think that thinking this is stupid, and idiotic, and against everything the web is for, but a nagging part of my brain insists that it is the only way to keep something nice, especially as the attacks become larger and larger and more destructive. And this makes me very sad.

Note to ARS, I don't know if you're quoting an e-mail or other written message, but "If a server is 10 times as powerful as a desktop computer than you only need one-tenth to do the same level of damage." should be "then", not "than". Love the article's picture, though.

...My sister and her boyfriend pay for Norton, have Defender running, all firewalls are up, they install all windows updates, they do not do any browsing AT all (in my book, beyond paranoid) except for ebay, do not open mails from ANYBODY except family, and they never EVER download anything.

Yet, their computer is ravished wellll beyond repair with virus's. It crawls so bad I am surprised it even runs. Gotta wait at least 3mins for any app to start running. Problem is, her boyfriend says everything's ok and does not want me to fix it. ...

I'd suspect someone doesn't want you to see what is actually going on with the PC ... as in "Nooo, we never surf teh interwebz, trust me..." [wink][wink] [nudge][nudge] At least in my experience, if someone swears they don't surf to questionable websites, etc., they're usually lying.

Hmmm, I hope the 21% of computer security professionals who did not believe there would be a major infrastructure attack this year have been forced to start looking for new professions since it is only April and quite obvious they know jack about actual computer security.

It's still possible I've misunderstood somewhere, but this article does seem to fall victim to the classic "8-fold" vs. "8-times" distinction. A "fold" is a geometric progression and doubles at each step. 6.1 Gbps (un)folded 8 times is 1561 Gbps, not 48 Gbps nor even 130 Gbps. If I've missed the numbers which validate the 8-fold comparison, please enlighten me. If not, please stop perpetuating this uninformed usage.

Can you provide a source please?

I'm thinking you're falling victim to believing that jargon is universal. Does your definition of "n-fold" come from a specific field?

Normal dictionary entries for "-fold" say it is an adjective form for cardinal number multiplication -- e.g. that "threefold" means three times as many.

Webster's 1913:"Times or repetitions; -- used with numerals, chiefly in composition, to denote multiplication or increase in a geometrical ratio, the doubling, tripling, etc., of anything; as, fourfold, four times, increased in a quadruple ratio, multiplied by four."

Oxford American Dictionary:"suffix forming adjectives and adverbs from cardinal numbers:1 in an amount multiplied by : threefold.2 consisting of so many parts or facets : twofold."

The amount of ignorant PC users I see that ask me to fix their PC that turns out to be completely infected with all sorts of malware is staggering.

I used to oppose this, but it is time that providers that detect infected pc's that are part of a botnet block access from those IP adresses to and from the internet. Send these people a message to fix their PCs and take appropriate measures by phone and snail mail. Once they declare they have done that reinstate their service.

These botnets can only exist because of ignorant people. We have requirements to allow you to drive on the roads, that include temporarily denying access. Make some rules for the electronic highway too.

People will just have to learn basic internet safety.

And what to do when that system is used to phish new malware? It just reminds me of the greater awareness for the need of antivirus protection being exploited by fake antivirus scams.

You can't fix stupid.

No, but you can fix ignorant and a lot of people are most definitely that when it comes to internet safety/security.

The amount of ignorant PC users I see that ask me to fix their PC that turns out to be completely infected with all sorts of malware is staggering.

People will just have to learn basic internet safety.

Ditto. I can't remember the last time I worked on someone's who's wasn't infected.

However, the word safety is a misnomer here. You can refuse unsolicited downloads, you can not open suspicious mail, you can stay way from rouge sites, and still get a virus from a legitimate site.

[...]

Yet, their computer is ravished wellll beyond repair with virus's. It crawls so bad I am surprised it even runs. Gotta wait at least 3mins for any app to start running. Problem is, her boyfriend says everything's ok and does not want me to fix it. Dumb dumb dumb. And it pisses me off cause I am in their address book.

I offered to reinstall windows for them (they have everything already backed up), yet they refuse. Thus guaranteeing to keep the bots flowing. I tell ya, there outta be a law against not fixing a botted up computer.

On the first part, definately true. I've had it happen to me once, the malware wasn't smart enough to take out the virus scanner though and it was recognized at the first update that included it.

On the other hand, my mother has never had any malware even though she knows nothing about computers. She's on windows 7 which is set to update automatically. I told her that no matter what happens if windows asks her for administrator privileges to call me and if she cant reach me just decline.

I have friends that are that obnoxious and I kept getting spam from them. I now have a new e-mail address (easy when you have your own domain and server) which I didn;t give them. The old e-mail adress is still active and all incoming mail is sent to /dev/null. When asked why I never responded to their e-mail I simply said they are blacklisted because they sent me too many infected e-mails. If they want to reach me they will just have to call.

I've educated my friends to not give my e-mail address to anyone even other friends years ago. Everyone that has my e-mail address knows they will get blacklisted if they include me in mass e-mail without using bcc. The result is an inbox that is completely free of spam without a spam filter! If that address would ever get out and spam would come I would probably switch to whitelisting instead.

Note to ARS, I don't know if you're quoting en e-mail or other written message, but "If a server is 10 times as powerful as a desktop computer than you only need one-tenth to do the same level of damage." should be "then", not "than". Love the article's picture, though.

...My sister and her boyfriend pay for Norton, have Defender running, all firewalls are up, they install all windows updates, they do not do any browsing AT all (in my book, beyond paranoid) except for ebay, do not open mails from ANYBODY except family, and they never EVER download anything.

Yet, their computer is ravished wellll beyond repair with virus's. It crawls so bad I am surprised it even runs. Gotta wait at least 3mins for any app to start running. Problem is, her boyfriend says everything's ok and does not want me to fix it. ...

I'd suspect someone doesn't want you to see what is actually going on with the PC ... as in "Nooo, we never surf teh interwebz, trust me..." [wink][wink] [nudge][nudge] At least in my experience, if someone swears they don't surf to questionable websites, etc., they're usually lying.

l8r)

Lol, this reminds me of the time someone I know asked me to salvage files he desperately needed for work from a dieing harddrive. The PC wouldn't boot anymore since the system files were damaged. I put the drive in an external enclosure, booted Linux and imaged the drive (I knew who it came from). After extensive work on the image I managed to pull most of the data off intact. I went through it looking for the intended file, but I have never seen such a large collection of bizarre pr0n (maps named shemale, golden shower etc...) in my life before or since.

The drive was really beyond salvage with plenty of bad sectors that even a low level format would not fix. In the end I converted all the word files he wanted to plain text and mailed the to myself (not to risk infecting my main windows pc) and deleted the image and took a magnet to the harddrive and dumped it in the trash.

Yet, their computer is ravished wellll beyond repair with virus's. It crawls so bad I am surprised it even runs. Gotta wait at least 3mins for any app to start running. Problem is, her boyfriend says everything's ok and does not want me to fix it. Dumb dumb dumb. And it pisses me off cause I am in their address book.

I offered to reinstall windows for them (they have everything already backed up), yet they refuse. Thus guaranteeing to keep the bots flowing. I tell ya, there outta be a law against not fixing a botted up computer.

then I hate to tell your sister but her boyfriend is downloading porn.

More CloudFlare self-promotion - getting sick of them already. (We need an ISO standard set of tags for CloudFlare self-promotion articles, non-news articles about people promoting their new books, etc so RSS feeds could auto-hide them.)

you mean this piece? of are you saying DDoS isn't as bad as they're saying? As a direct victim of these "events" I can tell you they are very real, very sophisticated, and very expensive to counter.

i work for one of the biggest banks in the country. so far the perps have only been flooding us with bogus requests, so we can't serve a dynamic home page, or our login page. the game will change when they start attacks on our users. you only get 5 strikes before we lock you out.. they could brute force randomized usernames and lock out legit customers easily.

It's still possible I've misunderstood somewhere, but this article does seem to fall victim to the classic "8-fold" vs. "8-times" distinction. A "fold" is a geometric progression and doubles at each step. 6.1 Gbps (un)folded 8 times is 1561 Gbps, not 48 Gbps nor even 130 Gbps. If I've missed the numbers which validate the 8-fold comparison, please enlighten me. If not, please stop perpetuating this uninformed usage.

Can you provide a source please?

I'm thinking you're falling victim to believing that jargon is universal. Does your definition of "n-fold" come from a specific field?

Normal dictionary entries for "-fold" say it is an adjective form for cardinal number multiplication -- e.g. that "threefold" means three times as many.

Webster's 1913:"Times or repetitions; -- used with numerals, chiefly in composition, to denote multiplication or increase in a geometrical ratio, the doubling, tripling, etc., of anything; as, fourfold, four times, increased in a quadruple ratio, multiplied by four."

Oxford American Dictionary:"suffix forming adjectives and adverbs from cardinal numbers:1 in an amount multiplied by : threefold.2 consisting of so many parts or facets : twofold."

Thanks to you and another reader for bringing facts back into the discussion. The sad thing is that 27 Ars subscribers gave this completely incorrect comment an up vote.

A large part of the problem is there is no simple, uniform method to contact ISP's about subscribers participating is a bot net or other nefarious activity. Back in the day, an email to webmaster, postmaster, abuse or a whois contact would be enough, but nowdays, no one seems to care.

I think the only long term solution is to implement a licensing system much like for cars so that end users are forced to assume a degree of responsibility over the secure operation of their devices. Service providers and software vendors will also be held to a similar standard, with costly consequences if found negligent.

It's just like requiring gun locks or swimming pool fences in some jurisdictions.

I operate a Wordpress site. For a while I was seeing better then 150 illicit attempts to login per hour. Being sort of a stubborn cuss, I opened wp-login and rewrote parts of it. Now an IP address has two attempts to login. If those two attempts are unsuccessful, the IP receives a temp ban for a period of time. If there are three other unsuccessful attempts to login, that IP address is written to .htaccess as deny from aaa.bbb.ccc.ddd as a permanent ban. That slowed the attacks. My host is also recording and banning IP addresses that make repeated failed attempts to login. This solution will not work for those that allow readers to login.

Not cool ...I use several passwords and several logins, and it happened to me a few time to try 5+ unsuccessful login attempts, searching for the correct combination. It is already quite annoying to get captchas after the first attempt. Getting a permaban while being a legit user is a bit violent.

So, remember that article about millions of open telnet ports (port 23) found around the interwebs? And most of those were accessible w/default passwords (admin/admin, etc.). Every time I see an article talking about spikes in DDoS attacks, I wonder how many of those have been taken over as bots. My understanding is, most of those aren't user-errors, but manufacturer faults for leaving open ports on things like printers (thanks, HP!) and the like. Yeah, good luck fixing all of those.

Oh, I know a lot of ppl poo-poo his credentials, but I find him informative so... Steve Gibson went into more detail on the above findings on his podcast. Transcript here.

I operate a Wordpress site. For a while I was seeing better then 150 illicit attempts to login per hour. Being sort of a stubborn cuss, I opened wp-login and rewrote parts of it. Now an IP address has two attempts to login. If those two attempts are unsuccessful, the IP receives a temp ban for a period of time. If there are three other unsuccessful attempts to login, that IP address is written to .htaccess as deny from aaa.bbb.ccc.ddd as a permanent ban. That slowed the attacks. My host is also recording and banning IP addresses that make repeated failed attempts to login. This solution will not work for those that allow readers to login.

Fortunately there is another solution that works well. Install the plugins "Mute Screamer" and "Better WP-Security" set as much as the security as is possible for your arrangement in the WP-Security dashboard and the "Tweaks" panel and set login limits to three - five failed logins for a temp ban of 15 minutes. Mute Screamer is an IDS system that will notify you of attempted intrusions. Better WP-Security can be toggled to record changed files and make recovery after any alteration easier.

Quick note, since these specific attacks are coming from a huge pool of IPs, this approach isn't going to be very effective against this specific attack. Plugins that slow or throttle login attempts are more useful than those that simply block IPs (look at Login Security Solution, or better the Google Authenticator two factor login).

In any case security for this is best handled as far down the web stack as possible where it'll consume the least resources. Allowing 90000 IPs to attempt to access the login pages is going to knock most sites offline, even if no login attempt is made. This is why for this attack the most effective place to block it is before it reaches the server by a security proxy/web application firewall service like CloudFlare, Incapsula, Cloud Proxy, etc...

It's unlikely any solution to this will make it into WordPress because as mentioned above its mostly the wrong place for it. The firewall should be on apache/nginx (mod_security/nasxi) before a php thread is even gets spun up. WP could bake required password strength, login throttling, or two factor auth into core, but why should WP dictate one solution when there are many good solutions available for each of the many possibly attack vectors?

If site owners don't know or want to be bothered will decions about server configuration or what WP security precautions to implement they have the option to hire a professional. That might be a consultant or might be paying for managed hosting from WP Engine, ZippyKid, etc...

I feel the root problem with all of this is the consumerization of web hosting by companies like GoDaddy/Host Gator/etc which offer lay people a one-click installs of web applications without really explaining that they (the hosting company) isn't providing support for the software or even basic security measures at the server level.

Thats not entirely fair as host do most of what security hardening they can, but it is limited. Shared hosting is hard to impossible to secure because what you do for WP might break phpBB, what you do for Drupal might break OS Commerce. Further since it is shared hosting, users often don't have access to lock things down better even if they had the techincal skill... Which all leads to users trying to block attacks like this where they do have control, wordpress/php, even when that's a poor place to do it.

It's still possible I've misunderstood somewhere, but this article does seem to fall victim to the classic "8-fold" vs. "8-times" distinction. A "fold" is a geometric progression and doubles at each step. 6.1 Gbps (un)folded 8 times is 1561 Gbps, not 48 Gbps nor even 130 Gbps. If I've missed the numbers which validate the 8-fold comparison, please enlighten me. If not, please stop perpetuating this uninformed usage.

Can you provide a source please?

I'm thinking you're falling victim to believing that jargon is universal. Does your definition of "n-fold" come from a specific field?

Normal dictionary entries for "-fold" say it is an adjective form for cardinal number multiplication -- e.g. that "threefold" means three times as many.

Webster's 1913:"Times or repetitions; -- used with numerals, chiefly in composition, to denote multiplication or increase in a geometrical ratio, the doubling, tripling, etc., of anything; as, fourfold, four times, increased in a quadruple ratio, multiplied by four."

Oxford American Dictionary:"suffix forming adjectives and adverbs from cardinal numbers:1 in an amount multiplied by : threefold.2 consisting of so many parts or facets : twofold."

Thanks to you and another reader for bringing facts back into the discussion. The sad thing is that 27 Ars subscribers gave this completely incorrect comment an up vote.

Did you seriously just make one of these totally off topic "times vs folds" comments an editor's pick? WTH? How about not feeding the grammar trolls... That's what is sad here.

I'm really OK with pulling their internet plug (any country harboring these thugs). Turn the whole area off from the outside world. Let them attack each other. Why should they be allowed to corrupt our systems in their never-ending war of hate against everything modern?

Just received word your neighbor is operating a botnet. In order to prevent corruption of our systems, we are pulling the internet plug for your neighborhood. Sorry, no Netflix for you tonight.

There are a couple good points to remember here.

#1 most ISP's TOS provide for disconnection/suspension if they detect your infected/zombied. To me this is right and where this should happen.

#2 most home IPs are dynamic and rotate. Just because 10.10.10.10 is infected and attacking 1000's of sites doesn't mean 10.10.10.10 won't be assigned to someone else tomorrow.

I've already heard of home users that have been blocked by web hosts who have over zealously implemented IP based blocks. Right now a few failed login attempts to a WP site can get you blacklisted from logging into WP dashboard across all sites hosted by a particular hosting company (see this personally on InMotion Hosting and its been reported to me regarding Bluehost)

So 1+2 = 3... Make ISPs do it, and by extension make web host do it or thier ISPs should shut them off (BlueHost has an ISP, that ISP can/should watch for excessive malicious traffic)